I have setup opnSense and I am having a hell of a time getting the switch to work reliably when connecting to other players (Animal Crossing is the game in question, don't really have any other online multiplayer games yet).
The switch is:
- on it's own VLAN
- wired into the network
- being handed it's own static reserved IP from my DHCP/DNS server (not opnSense)
- verified that it has the correct IP assigned to it
- connected to the internet just fine (it can update software and passes all the internet tests)
- on a VLAN interface that has the correct firewall rules to allow all traffic from it to the WAN interface, but to block any traffic from it to my other VLANs.
- told to forget all wireless networks, so LAN connection is it's only option for a connection.
- set to connect automatically
- set to use an MTU of 1500
I did an internet test and got a NAT score of D. So I did the research and discovered that I need to set the opnSense box to a hybrid NAT setup, then create a rule for the switch with a static port (the setting of which are below). This took the score to a B. But I still cannot connect to other players. The game will connect to the internet, locate the other players send me over to them and then just before I land it will tell that there was an internet problem and disconnect.
So I did more research and discovered I can setup UPnP for that VLAN and that specific client, so I did that (setting used are below). Set that up to just work on the VLAN the switch is on, deny by default but allow ports 45000-65535 to be mapped to the switch IP. Rebooted the switch and tried again, still no luck (I also note that in the Status of the UPnP module no connection shows up).
I have no idea where to go from here, I am reasonably sure that the NAT rule is working and that this is not a firewall rule issue, though I am unsure of the PnP rule is working or not (it shows no sessions in the Status section).
Please help me before I end up throwing my 11yo out the window of moving car as she won't stop complaining about this issue.
My NAT rule is as follows:
- Disabled: Unchecked
- Do Not NAT: Unchecked
- Interface: WAN
- TP/IP Version: IPv4
- Protocol: Any
- Source Invert: Unchecked
- Source Address: Nintendo switch (an alias to the switch's IP)
- Source Port: Any
- Destination Invert: Unchecked
- Destination Address:Any
- Destination Port: Any
- Translation/Target: Interface Address
- Log: Unchecked
- Translation/port: Blank
- Static port: Checked
- Pool Options: Default
The remaining fields are all blank (Set Local Tag, Match Local Tag, No XMLRPC Sync and Desription).
The uPnP settings are:
- Enabled: Checked
- Allow UPnP Port Mapping: Checked
- Allow NAT-PMP Port Mapping: Checked
- External Interface: WAN
- Interfaces: Vlan of the switch
- Max Down: Blank
- Max Up: Blank
- Override WAN Address: Blank
- Lot NAT-PMP: Checked (Where is this logged?)
- Use System Time: Checked
- Default Deny: Checked
- Entry 1: allow 45000-65535 <switch IP> 45000-65525
Everything else is blank.
Physical layout is:Internet ------- Netgear Cable Modem -------- opnSense (VLAN 197) -------- Cisco 3560x ---------- Switch
And if it is relevant, I am on Comcast, with there 1Gb/s internet service.
Quote from: JRC on June 02, 2020, 02:48:29 AM
My NAT rule is as follows:
- Disabled: Unchecked
- Do Not NAT: Unchecked
- Interface: WAN
- TP/IP Version: IPv4
- Protocol: Any
- Source Invert: Unchecked
- Source Address: Nintendo switch (an alias to the switch's IP)
- Source Port: Any
- Destination Invert: Unchecked
- Destination Address:Any
- Destination Port: Any
Translation/Target: Interface Address
- Log: Unchecked
- Translation/port: Blank
- Static port: Checked
- Pool Options: Default
The remaining fields are all blank (Set Local Tag, Match Local Tag, No XMLRPC Sync and Desription).
No idea if it can help, but I have a PS4, I didn't need to enable uPnP and have setup the outbound rule like yours except for:
Translation/target: WAN addressAlso, source address for me it's the local IPv4 address assigned to the PS4 - 192.168.10.20/32 - and no idea if there are issues with your alias...
Quoteand no idea if there are issues with your alias...
Here it is. There are two host IPs because one is for the wireless interface and one is for the wired interface. For now I am not using the wireless interface at all.
Alias:Nintendo_Switch Host(s) 172.17.197.200,172.17.197.201
Quotehave setup the outbound rule like yours except for:
Translation/target: WAN address
I'll give that a try and see how it goes.
Thanks for the help.